News

Vulnerability allowed code execution via PayPal confirmation emails

By admin
Spread the love

German security researcher Benjamin Kunz Mejri has identified a vulnerability in PayPal’s account system that could allow malicious code to be sent via confirmation emails. He reported this through the bug bounty program.

To send the malicious emails, Mejri used an existing PayPal account. The vulnerability consisted in that he could enter arbitrary code in the field where the name of the account holder should be. For that it was necessary to first bypass a filter. He then took advantage of the feature to share a PayPal account with others by adding several email addresses.

The entered addresses were therefore sent an e-mail, in which they were asked to confirm the addition. When the user opened the email, the malicious code was executed from PayPal’s servers.

This made it possible to carry out phishing attacks, among other things, with the advantage that the emails came from the official PayPal domain. Session hijacking and redirection to other pages were also possible. The vulnerability was removed at the beginning of March and Mejri received 1000 dollars for his report, which is converted to 880 euros.

You might also like
News

EU Council determines position on security requirements for digital products

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Igor’s Lab shares specs LGA1851 socket Arrow Lake: PCIe 5.0 SSDs and more pins

News

Sony and Microsoft sign agreement to keep Call of Duty on PlayStation

News

Bambu Lab announces P1S 3D printer

News

Valve releases major Team Fortress 2 update with community maps and new taunts